WinRAR has a critical security bug: here is the fix
WinRAR is a very popular software to create and extract archives on Windows and other supported operating systems. Part of its popularity comes from its support for different types of packing formats, another that the software's trial version never expires.
A bug was discovered recently that affects all versions of WinRAR prior to 5.70. The bug, a remote code execution vulnerability, affects all WinRAR versions and thus all 500 million users that use the application.
Security researchers discovered a flaw in a library that WinRAR uses to extract files from archives packed with the ACE format.
Attackers can exploit the vulnerability by pushing specially prepared archives to user systems. The bug can be abused to extract the files into any folder on the system instead of the folder selected by the user or the default folder for extracted files.
Tip: Find out how to repair and extract broken WinRAR archives.
Attackers could select to extract files to Windows' startup folder so that programs are executed on the next start of the system.
The researchers published a video that demonstrates the exploit.
WinRAR uses the content of the file to determine the archive format that was used to compress the files; means, it is not enough to avoid any ACE files for the time being. Attackers could rename ACE files to RAR or ZIP, and WinRAR would handle them just fine.
The library that is responsible for the behavior is UNACEV2.DLL. The maker of WinRAR removed the file from the latest Beta version of WinRAR 5.70. Users can upgrade to the Beta version to protect their devices from the security issue.
Policies may prevent the installation of Beta software on devices, and some Home users might not want to install Beta software either on their computer systems.
These users and administrators may delete the vulnerable file, UNACEV2.DLL from the WinRAR directory to protect the device from the issue. Here is how that is done:
- Open Explorer on the Windows PC.
- Go to C:\Program Files\WinRAR if you run a 64-bit version of WinRAR.
- Go to C:\Program Files (x86)\WinRAR if you run a 32-bit version of WinRAR.
- Locate the file UNACEV2.DLL and either rename it or delete it.
- To delete: select the file UNACEV2.DLL and delete it either with a right-click and the selection of Delete from the context menu, or by using the Del key on the keyboard.
- To rename: right-click on the file and select rename.
- Restart the PC.
Note: This removes the option to extract ACE files using WinRAR.
I could not find information on the popularity of the ACE format. I remember that it was quite popular (and controversial) more than a decade ago.
Now You: Do you use WinRAR? My favorite program is Bandizip right now. (via Hacker News)
The ace format was quite popular in the early 2000s when it provided more compression than RAR.
I really did not even remember that file format anymore …
Thanks for the heads up! Heh, I haven’t seen a proper .ACE file in many years.
I have not seen the format either in the wild. The main issue is how WinRAR handles formats. An attacker could simple rename the prepared ACE file to RAR or ZIP to avoid detection. Doubt many would analyze the files before using WinRAR.
I still find this dll in the addon of XnView and in the directory “savapi” of 360TS.
Thank you for the info.
I use 7-zip. No problems ever, free for commercial use, great compression.
Careful there captain overconfident :)
7-Zip vulnerability affects security software
From the article:
“The security vulnerability has been fixed in 7-Zip 16.0 which has been released this month.”
The current version of 7-zip is 18.06.
There have been others, and not all fixed promptly (I’m not even sure that all have been fixed, since information is sketchy).
“The current version of 7-zip is 18.06”
No, now its 19.00.
From 2019-02-21 on. :)
That’s article dates back to 2016 and the bug has already been fixed as stated in the article.
The point being that exploits can be found in different types of software of all different versions. The real issue here is that Winrar doesn’t have an auto-update feature to correct the problem, which leaves more systems vulnerable for an extended period of time. An update function in subsequent releases is the best way to mitigate this vulnerability, but that would still rely on user action to implement.
Thanks for the tip Martin. I have v5.61 installed, but I’m reluctant to upgrade a beta version, so I used your workaround to delete the file you mentioned instead.
Ditto. And thanks to Martin for the heads-up.
I’ve been using Bandizip for years – at first they were using 7-zip as their base, but now they’ve gotten rid of it and are entirely original. I think it’s the best software of them all, gets regular updates and it’s completely free.
On a side note, since it’s not entirely important – it also looks nicer than WinRAR and 7-Zip.
Bandizip is my go to for compression and extraction of files as well. I did notice that it also uses unacev2.dll. Renaming it for the time being to be on the safe side.
I have only two occurrences of unacev2.dll :
Bandizip 6.20 : C:\Program Files\Bandizip\unacev2.dll
Total Commander 9.21a : C:\Program Files\TotalCmd\UNACEV2.DLL
Bandizip handles all my compressed files
Total Commander includes compressing/decompressing several formats of which ACE
I hesitate to rename these two occurrences given they’re part of an application.
I guess Bandizip and Total Commander will both provide updates soon to mitigate this unacev2.dll issue.
i have reinstalled my pc. Current version of Total commander doesn’t have unacev2.dll file.
@Sigitas, thanks a lot for pointing this out! Indeed, I’ve proceeded to a clean install of ‘Total Commander’ 9.21a and the install folder has now 34 files instead of 55 previously, and no longer UNACEV2.DLL.
Looking at Bandizip history, they already fixed several Ace bugs since v6.14:
v6.14 June 19, 2018
-Fixed: Cannot extract specific RAR5 format file
-Fixed: Cannot extract specific RAR format file
-Fixed: Ace format related bugs
-Improved the stability of the program
Bandizip 6.21 Build 26481 released, changelog:
– Stop supporting ACE format due to vulnerability (CVE-2018-20250)
– Fixed: Crash problem while extracting specific NSIS
– Fixed: Shell extension does not work for the specific case
– Some minor bug fixes
There is no UNACEV2.DLL in Bandizip 6.21 ;)
A small amount of info is here:
The UnACE.dll that is the source of this vulnerability is something the author provided to developers free of charge (but not open source). There is open source (BSD-licensed) code in Python for extracting from ACE.
Only the proprietary WinACE for Windows, or ACE for commandline Windows, can create ACE archives.
Thanks for the heads up and the fix, Martin.
I always have liked the WinRar file archiving program.
The only question I am wondering about is do other file archiving programs like 7 zip, Bandzip, Autozipper, and others handle that ACE format differently and because of that are not at risk?
Thanks for the info, I’ve deleted the .dll file. I’d recommend you also search your PC for it, since other programs may be using it. For example, it was in my DeliPlayer installation (a brilliant, yet now abandoned music player specialised in Amiga music formats).
Just use K-Lite Codec Pack Mega that can play any audio and video format available on planet Earth ;)
I use WinRAR regularly, as it’s the only Windows program that I know of that can handle Linux compressed archives.
Seeing someone pass around an ACE file in 2019 would make me suspicious by default.
I also deleted The Ace32Loader.exe that i also in The WinRar directory And The program works ok
It’s troublesome to know how long this has been around.
Glad I have not been a WinRAR user.
A simple search showed that the compromised unacev2.dll existed more than once on my system, it’s not just Winrar. I had it in several others like Peazip and Far commander too. Take care ppl.
Yes, the ACE format was controversial around Win98 times because the author reportedly used false benchmarks or something like that. Rar won the format war because of its features.
I wonder if Peazip is affected? I’ve been using it for 2 years now and it’s free!
What about the unrar.exe standalone executable from RarLabs? Some other software projects make use of that.
I wish everyone would stop using the .rar format altogether. Just use .zip if there is no need for compression or .7z if compression is important.
Below is where it all began:
Have winrar 3.5 on multiple pc’s. No idea why the article claims all versions prior to …. 5 or whatever have this file. FALSE … none of the pc’s I have the earlier version have this file anywhere on the pc.
This exploit is now being used to infect user with ransomware. That is at least to those who are still running older versions of WinRAR and such.